QRadar rules and offenses

The configuration rule that is defined in the Custom Rules Engine (CRE) is used to generate offenses.

The following list describes rules and offenses:

CRE

The Custom Rules Engine (CRE) displays the rules and building blocks that are used by IBM QRadar. Rules and building blocks are stored in two separate lists because they function differently. The CRE provides information about how the rules are grouped, the types of tests that the rule performs, and the responses that each rule generates. For more information about rules and offenses, see the IBM QRadar User Guide.

Rules

A rule is a collection of tests that triggers an action when specific conditions are met. Each rule can be configured to capture and respond to a specific event, sequence of events, flow sequence, or offense. The actions that can be triggered include sending an email or generating a syslog message. A rule can reference multiple building blocks by using the tests that are found in the function sections of the test groups within the Rule Editor.

Offenses

As event and flow data passes through the CRE, it is correlated against the rules that are configured and an offense can be generated based on this correlation. You view offenses on the Offenses tab.